Security researchers have disclosed as many as 40 different
vulnerabilities associated with an opportunistic encryption
mechanism in mail clients and servers that could open the door to
targeted man-in-the-middle (MitM) attacks, permitting an intruder
to forge mailbox content and steal credentials.
The now-patched flaws, identified in various STARTTLS
implementations, were detailed[1]
by a group of researchers Damian Poddebniak, Fabian Ising, Hanno
Böck, and Sebastian Schinzel at the 30th USENIX Security Symposium.
In an Internet-wide scan conducted during the study, 320,000 email
servers were found vulnerable to what’s called a command injection
attack.
Some of the popular clients affected by the bugs include Apple
Mail, Gmail, Mozilla Thunderbird, Claws Mail, Mutt, Evolution,
Exim, Mail.ru, Samsung Email, Yandex, and KMail. The attacks
require that the malicious party can tamper connections established
between an email client and the email server of a provider and has
login credentials for their own account on the same server.
STARTTLS refers to a form of opportunistic TLS[2]
that enables email communication protocols such as SMTP, POP3, and
IMAP to be transitioned or upgraded from a plain text connection to
an encrypted connection instead of having to use a separate port
for encrypted communication.
“Upgrading connections via STARTTLS is fragile and vulnerable to
a number of security vulnerabilities and attacks,” the researchers
noted[3], allowing a
meddler-in-the-middle to inject plaintext commands that a “server
would be interpret as if they were part of the encrypted
connection,” thereby enabling the adversary to steal credentials
with the SMTP and IMAP protocols.
“Email clients must authenticate themselves with a username and
password before submitting a new email or accessing existing
emails. For these connections, the transition to TLS via STARTTLS
must be strictly enforced because a downgrade would reveal the
username and password and give an attacker full access to the email
account,” the researchers added.
In an alternative scenario that could facilitate mailbox
forgery, by inserting additional content to the server message in
response to the STARTTLS command before the TLS handshake, the
client can be tricked into processing server commands as if they
were part of the encrypted connection. The researchers dubbed the
attack “response injection.”
The last line of attack concerns IMAP[4]
protocol, which defines a standardized way for email clients to
retrieve email messages from a mail server over a TCP/IP
connection. A malicious actor can bypass STARTTLS in IMAP by
sending a PREAUTH[5]
greeting — a response that indicates that the connection has
already been authenticated by external means — to prevent the
connection upgrade and force a client to an unencrypted
connection.
Stating that implicit TLS is a more secure option than STARTTLS,
the researchers recommend users to configure their email clients to
use SMTP, POP3 and IMAP with implicit TLS on dedicated ports (port
465, port 995, and port 993 respectively), in addition to urging
developers of email server and client applications to offer
implicit TLS by default.
“The demonstrated attacks require an active attacker and may be
recognized when used against an email client that tries to enforce
the transition to TLS,” the researchers said. “As a general
recommendation you should always update your software and (to also
profit from faster connections) reconfigure your email client to
use implicit TLS only.”